Skip to main content

Reference

SDK Reference

QuickStartSVID

from AuthSec_SDK import QuickStartSVID

svid = await QuickStartSVID.initialize(socket_path="/run/spire/sockets/agent.sock")
Method / PropertyDescription
await .initialize(socket_path)Connect to agent, fetch SVID, start auto-renewal
await .validate_jwt_svid(token, audience)Validate a JWT-SVID. Returns {"spiffe_id": ..., "claims": {...}} or None
await .fetch_jwt_svid(audience)Fetch a JWT-SVID for calling other services. Returns token string
.create_ssl_context_for_server()SSL context for mTLS server (requires client certs)
.create_ssl_context_for_client()SSL context for mTLS client (presents your SVID)
.spiffe_idYour SPIFFE ID string
.cert_file_pathPath to cert file (auto-updated on renewal)
.key_file_pathPath to private key file
.ca_file_pathPath to CA bundle file

Certificate Rotation

Handled automatically — no restarts needed.

  • Agent rotates its own SVID when 66% of TTL has elapsed
  • Workload SVIDs are pushed to connected workloads via the gRPC stream
  • SDK writes updated certs to disk atomically (/tmp/spiffe-certs/)
  • Private keys are generated locally and never leave the host
t=0min   SVID issued (1h TTL)
t=40min  Rotation triggered (66% elapsed)
t=40min  New SVID pushed to workload via gRPC, cert files updated
t=60min  Old SVID expires (already replaced)

Selector Reference

Selectors on a workload entry must all match (AND logic) for a workload to receive an SVID.

SelectorExampleDescription
k8s:nsproductionPod namespace
k8s:saorder-serviceService account name
k8s:pod-label:apporder-servicePod label
k8s:pod-owner-Deploymentorder-serviceOwner reference
k8s:pod-imagemyregistry/order:v1Container image

Most common pattern:

k8s:ns = production
k8s:sa = order-service